Nearly two weeks after attackers exploited Kaseya VSA systems to deploy REvil ransomware, the company has released a security update for on-premise and SaaS versions of the software. Kaseya released VSA 9.5.7a (184.108.40.20694) on Sunday (July 11th). The release notes list seven CVEs (Common Vulnerabilities and Exposures), four of which were addressed in VSA 9.5.5 or 9.5.6.
- VSA 9.5.7
- CVE-2021-30116 – Credentials leak and business logic flaw
- CVE-2021-30119 – Cross-Site Scripting vulnerability
- CVE-2021-30120 – 2FA bypass
- VSA 9.5.6
- CVE-2021-30117 – SQL injection
- CVE-2021-30121 – Local file inclusion (LFI) vulnerability
- CVE-2021-30201 – XML External Entity vulnerability
- VSA 9.5.5
- CVE-2021-30118 – Remote code execution (RCE) vulnerability
The update to 9.5.7 also addresses a few vulnerabilities without CVE ratings such as password hashes being returned in some API responses and unauthorized file uploads. Many features have been deprecated, replaced or temporarily disabled until further notice in version 9.5.7 as well. For the full details, please see the release notes for VSA 9.5.7a (220.127.116.1194).